cups/cups-1.5-additional_policies.patch

--- conf/cupsd.conf.in.orig	2014-01-29 14:31:32.000000000 +0100
+++ conf/cupsd.conf.in	2014-01-29 15:20:30.000000000 +0100
@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@
   </Limit>
 </Policy>
 
+# The policy below is added by SUSE during build of our cups package.
+# The policy 'allowallforanybody' is totally open and insecure and therefore
+# it can only be used within an internal network where only trused users exist
+# and where the cupsd is not accessible at all from any external host, see
+# http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
+# Have in mind that any user who is allowed to do printer admin tasks
+# can change the print queues as he likes - e.g. send copies of confidental
+# print jobs from an internal network to any external destination, see
+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
+# For documentation regarding 'Managing Operation Policies' see
+# http://www.cups.org/documentation.php/doc-1.5/policies.html
+<Policy allowallforanybody>
+  # Allow anybody to access job's private values:
+  JobPrivateAccess all
+  # Make none of the job values to be private:
+  JobPrivateValues none
+  # Allow anybody to access subscription's private values:
+  SubscriptionPrivateAccess all
+  # Make none of the subscription values to be private:
+  SubscriptionPrivateValues none
+  # Allow anybody to do all IPP operations:
+  # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document
+  # must be additionally exlicitly specified because those IPP operations are not included
+  # in the "All" wildcard value - otherwise cupsd prints error messages of the form
+  # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."
+  <Limit All Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document>
+    Order deny,allow
+    Allow from all
+  </Limit>
+</Policy>
+# Explicitly set the CUPS 'default' policy to be used by default:
+DefaultPolicy default
+
 #
 # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
 #
Accepting request 215537 from home:jsmeix:branches:Printing Solve bnc#857372 (and its various duplicates) by a major clean up and fix of the systemd unit files for CUPS that makes it again simple and secure to get cupsd working again as it did all the time in the past by a single simple and secure cups.service unit file. For experienced users cups.socket and cups.path are still provided as templates in /usr/share/doc/packages/cups/systemd/ so that experienced users can derive their own cups.socket and cups.path files according to their particular needs. When cupsd again "just works" as it did all the time in the past, then the next step is an optional systemd generator to create cups.socket that matches cupsd.conf see bnc#861084. OBS-URL: https://build.opensuse.org/request/show/215537 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=274 2014-01-29 15:05:09 +00:00			`--- conf/cupsd.conf.in.orig 2014-01-29 14:31:32.000000000 +0100`
			`+++ conf/cupsd.conf.in 2014-01-29 15:20:30.000000000 +0100`
			`@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@`
			`</Limit>`
			`</Policy>`

Accepting request 86885 from home:jsmeix:branches:Printing cups: upgrade to version 1.5.0 (bnc#722057) OBS-URL: https://build.opensuse.org/request/show/86885 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=228 2011-10-06 09:36:19 +00:00			`+# The policy below is added by SUSE during build of our cups package.`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 22:08:54 +00:00			`+# The policy 'allowallforanybody' is totally open and insecure and therefore`
			`+# it can only be used within an internal network where only trused users exist`
Accepting request 52897 from home:jsmeix:branches:Printing Upgrade to CUPS 1.4.5 OBS-URL: https://build.opensuse.org/request/show/52897 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=207 2010-11-12 08:51:26 +00:00			`+# and where the cupsd is not accessible at all from any external host, see`
			`+# http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 22:08:54 +00:00			`+# Have in mind that any user who is allowed to do printer admin tasks`
Accepting request 52897 from home:jsmeix:branches:Printing Upgrade to CUPS 1.4.5 OBS-URL: https://build.opensuse.org/request/show/52897 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=207 2010-11-12 08:51:26 +00:00			`+# can change the print queues as he likes - e.g. send copies of confidental`
			`+# print jobs from an internal network to any external destination, see`
			`+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 22:08:54 +00:00			`+# For documentation regarding 'Managing Operation Policies' see`
Accepting request 86885 from home:jsmeix:branches:Printing cups: upgrade to version 1.5.0 (bnc#722057) OBS-URL: https://build.opensuse.org/request/show/86885 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=228 2011-10-06 09:36:19 +00:00			`+# http://www.cups.org/documentation.php/doc-1.5/policies.html`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 22:08:54 +00:00			`+<Policy allowallforanybody>`
Accepting request 215537 from home:jsmeix:branches:Printing Solve bnc#857372 (and its various duplicates) by a major clean up and fix of the systemd unit files for CUPS that makes it again simple and secure to get cupsd working again as it did all the time in the past by a single simple and secure cups.service unit file. For experienced users cups.socket and cups.path are still provided as templates in /usr/share/doc/packages/cups/systemd/ so that experienced users can derive their own cups.socket and cups.path files according to their particular needs. When cupsd again "just works" as it did all the time in the past, then the next step is an optional systemd generator to create cups.socket that matches cupsd.conf see bnc#861084. OBS-URL: https://build.opensuse.org/request/show/215537 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=274 2014-01-29 15:05:09 +00:00			`+ # Allow anybody to access job's private values:`
			`+ JobPrivateAccess all`
			`+ # Make none of the job values to be private:`
			`+ JobPrivateValues none`
			`+ # Allow anybody to access subscription's private values:`
			`+ SubscriptionPrivateAccess all`
			`+ # Make none of the subscription values to be private:`
			`+ SubscriptionPrivateValues none`
			`+ # Allow anybody to do all IPP operations:`
			`+ # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document`
			`+ # must be additionally exlicitly specified because those IPP operations are not included`
			`+ # in the "All" wildcard value - otherwise cupsd prints error messages of the form`
			`+ # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."`
			`+ <Limit All Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document>`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 22:08:54 +00:00			`+ Order deny,allow`
			`+ Allow from all`
			`+ </Limit>`
			`+</Policy>`
Accepting request 52897 from home:jsmeix:branches:Printing Upgrade to CUPS 1.4.5 OBS-URL: https://build.opensuse.org/request/show/52897 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=207 2010-11-12 08:51:26 +00:00			`+# Explicitly set the CUPS 'default' policy to be used by default:`
Updating link to change in openSUSE:Factory/cups revision 70.0 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=018c50e08ef5ce023c87a657e330f3ef 2010-03-18 22:08:54 +00:00			`+DefaultPolicy default`
			`+`
Accepting request 215537 from home:jsmeix:branches:Printing Solve bnc#857372 (and its various duplicates) by a major clean up and fix of the systemd unit files for CUPS that makes it again simple and secure to get cupsd working again as it did all the time in the past by a single simple and secure cups.service unit file. For experienced users cups.socket and cups.path are still provided as templates in /usr/share/doc/packages/cups/systemd/ so that experienced users can derive their own cups.socket and cups.path files according to their particular needs. When cupsd again "just works" as it did all the time in the past, then the next step is an optional systemd generator to create cups.socket that matches cupsd.conf see bnc#861084. OBS-URL: https://build.opensuse.org/request/show/215537 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=274 2014-01-29 15:05:09 +00:00			`#`
			`# End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".`
			`#`